In recent years, cybercriminals implanted malicious skimming code directly on e-commerce shops and online content management and payment platforms as a way of stealing payment card data at scale. These attacks focused on identifying and exploiting vulnerabilities within these e-commerce platforms. With prominent victims such as British Airways, Ticketmaster, and Newegg, among others, this type of attack became known as “Magecart” and gained notoriety within information security circles and beyond. But as usual, this success brought about an increased focus by cybersecurity and e-commerce companies to identify “Magecart”-like vulnerabilities and improve detection and mitigation of such attacks.
In response, sharp cybercriminals turned to more targeted malware attacks of e-commerce merchants, particularly small to mid-size merchants. Their goal is to compromise the merchant’s payments processing account and steal all of the payment card data processed by the merchant. While the focus on small to mid-size merchants may seem counterintuitive, it is carefully designed to “fly under the radar” of larger and better-resourced merchants as well as financial institutions and card brands that monitor larger merchants.
Consequently, in the first half of 2019, we have observed a spike in the demand for such compromised e-commerce merchant accounts in the Dark Web. Specifically, up until October 2018, there was only one prominent cybercriminal actively seeking to purchase access to compromised merchants from other hackers. In the first half of 2019, there are many more players active in this market, resulting in a booming market for compromised e-commerce merchants, with cybercriminals willing to pay as much as $20,000 per merchant. The demand is likely to continue growing, further fueling growth in CNP fraud.
E-Commerce Merchants: A Hot Commodity in the Dark Web
The New Frontier on the Dark Web
Find out how we can work together to protect your institution from cyber crime.
get startedMarket Dynamics
Most of the cybercriminals on the demand side are seeking to acquire access to compromised e-commerce merchants using widespread free content management systems such as Magento, Opencart, or osCommerce. Additionally, these cybercriminals prefer merchants that execute direct payment on their e-commerce site as opposed to merchants that redirect to payment gateways (i.e., to a secure payment page hosted by a payment service provider or IFrame). In the case of direct payments, the e-commerce server typically processes transactions, payment, and customer data, allowing the cybercriminal to install malicious “sniffing” code that steals such data. More advanced cybercriminals have also developed or obtained tools to extract such data from merchants that redirect payments to third parties, giving them a wider pool of merchants to pursue.
Typically, cybercriminals purchase access to the compromised merchants from other cybercriminals, namely, hackers who have managed to infect these merchants with malware. Their skill sets are quite different – the “sellers” are technical operators skilled at running successful malware campaigns compromising merchants, whereas the “buyers” are fraudsters skilled at monetizing the compromised e-commerce merchants beginning with installing effective “sniffing” tools and ending with downstream fraud cash-outs. In some instances, the “buyers” do not commit the payment card fraud directly; instead, they sell the compromised payment card data in Dark Web marketplaces. We have identified cybercriminals that recently launched such marketplaces to sell the compromised payment card data obtained from compromised e-commerce merchants.
Prices for compromised merchants range between $300 to $20,000 per merchant and are closely tied to the size and type of the merchant. For example, merchants selling luxury goods with high transaction volumes are valued greater than merchants selling moderately-priced products with low transaction volumes. In many cases, the cybercriminals also enter into a partnership – no money is exchanged up front, and they agree to share the proceeds from the fraud scheme.
Cybercriminals are eager to buy compromised merchants of almost every size. Often, the minimum requirement is that the merchant process 3-5 orders per day. The following is a comparison of several dominant cybercriminals targeting e-commerce merchants:
| Buyer | Active Since | Merchant Criteria | Business Model |
| Buyer 1 | December 2016 | · Minimum 5 orders / day. · Excluding former Soviet Union countries. · Only direct payments merchants. |
Paying $300 -$20,000 per merchant or up to 85% revenue share. |
| Buyer 2 | October 2018 | · Minimum 3 orders / day. · Direct and redirect payments. |
Paying $300 -$8,000 per merchant or up to 80% revenue share. |
| Buyer 3 | February 2019 | · Excluding former Soviet Union countries, India, Brazil and Mexico. · Direct and redirect payments. |
· Purchase and revenue sharing. · Runs underground marketplace selling compromised payment cards. |
| Buyer 4 | May 2019 | · Minimum 10 orders / day. · Direct and redirect payments. |
· 50/50 revenue sharing. · Runs underground marketplace selling compromised payment cards. |
How Can Financial Institutions Win?
As e-commerce merchants (particularly small and mid-size merchants) are increasingly targeted and exploited by cybercriminals, financial institutions issuing credit and debit cards are facing greater fraud exposure. Fortunately, financial institutions can deploy strategies to transform their anti-fraud operations from reactive to proactive, thereby preventing fraud and the accompanying adverse customer experience:
- Identify compromised payment cards traded or shared on numerous “underground” marketplaces across the Dark Web, Deep Web, and beyond. Flag and action these cards to mitigate fraud.
- Flag compromised merchants weeks before they are made public. Identify payment cards processed by such merchants and action them before fraud starts piling up.
Learn how Q6 Cyber and Abrigo’s unique E-Crime Intelligence platform can help you do all that and more to bolster your anti-fraud program and stay a step ahead of your adversaries.
